diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..82f9275 --- /dev/null +++ b/.gitignore @@ -0,0 +1,162 @@ +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ +cover/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +.pybuilder/ +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +# For a library or package, you might want to ignore these files since the code is +# intended to run in multiple environments; otherwise, check them in: +# .python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# poetry +# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. +# This is especially recommended for binary packages to ensure reproducibility, and is more +# commonly ignored for libraries. +# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control +#poetry.lock + +# pdm +# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. +#pdm.lock +# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it +# in version control. +# https://pdm.fming.dev/latest/usage/project/#working-with-version-control +.pdm.toml +.pdm-python +.pdm-build/ + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# pytype static type analyzer +.pytype/ + +# Cython debug symbols +cython_debug/ + +# PyCharm +# JetBrains specific template is maintained in a separate JetBrains.gitignore that can +# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore +# and can be added to the global gitignore or merged into this file. For a more nuclear +# option (not recommended) you can uncomment the following to ignore the entire idea folder. +#.idea/ diff --git a/install b/install new file mode 100755 index 0000000..1feafac --- /dev/null +++ b/install @@ -0,0 +1,35 @@ +#!/bin/bash + +## This installation file is compatible with Python version 3.8 and later and has been developed to adapt this software to new versions of Python. + +# check virtualenv + +virt=`whereis virtualenv | cut -d" " -f2` +if [ "$virt" == "/usr/bin/virtualenv" ];then + true +else + echo "virtualenv Not Installed ..." + echo "Start Install virtualenv" + sudo pip3 install virtualenv + echo "virtualenv Installed [ OK ]" +fi + + + +virtualenv venv +source venv/bin/activate +echo "virtualenv ctreated [ OK ]" +packages=`cat requirements.txt | cut -d" " -f1` +for p in $packages;do + pip install $p +done + +echo "Python Packages Installed [ OK ]" + +# create New Requirements File + +pip freeze > requirements.txt + + + + diff --git a/modules/antidbg.py b/modules/antidbg.py index c3ab767..2c40f3b 100755 --- a/modules/antidbg.py +++ b/modules/antidbg.py @@ -3,11 +3,9 @@ import sys from . import colors -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) # check for anti-debugging calls - def get_rule(path): root_dir = os.path.dirname(sys.modules['__main__'].__file__) return os.path.join(root_dir, 'signatures', path) diff --git a/modules/apialert.py b/modules/apialert.py index 764e326..dfc73cb 100755 --- a/modules/apialert.py +++ b/modules/apialert.py @@ -3,7 +3,7 @@ import lief from . import colors -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) + # checks for suspicious calls diff --git a/modules/aslr.py b/modules/aslr.py index 14d8599..9cef9a9 100755 --- a/modules/aslr.py +++ b/modules/aslr.py @@ -1,20 +1,21 @@ import lief from . import colors -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) - -# check if PE support for Address Space Layout Randomization - - +# Check if PE supports Address Space Layout Randomization (ASLR) def get(malware, csv): print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( "ASLR", " -------------------------------") + colors.DEFAULT)) + binary = lief.parse(malware) - if binary.optional_header.has(lief.PE.DLL_CHARACTERISTICS.DYNAMIC_BASE): + + # Define the DYNAMIC_BASE flag + DYNAMIC_BASE_FLAG = 0x0040 + + # Check if ASLR (DYNAMIC_BASE) is enabled + if binary.optional_header.dll_characteristics & DYNAMIC_BASE_FLAG: print((colors.GREEN + "[" + '\u2713' + "]" + colors.DEFAULT + " The file supports Address Space Layout Randomization (ASLR)")) csv.write("1,") else: - print(( - colors.RED + "[X]" + colors.DEFAULT + " The file doesn't support Address Space Layout Randomization (ASLR)")) + print((colors.RED + "[X]" + colors.DEFAULT + " The file doesn't support Address Space Layout Randomization (ASLR)")) csv.write("0,") diff --git a/modules/badstr.py b/modules/badstr.py index 5b34295..9a4f9f4 100755 --- a/modules/badstr.py +++ b/modules/badstr.py @@ -5,7 +5,7 @@ import string from . import colors -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) + # check for some possible bad strings hardcoded inside PE diff --git a/modules/certificate.py b/modules/certificate.py index af10f0c..040a51f 100755 --- a/modules/certificate.py +++ b/modules/certificate.py @@ -4,7 +4,6 @@ from . import colors from lief.PE import oid_to_string -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) # print PE certificates diff --git a/modules/cfg.py b/modules/cfg.py index 40bcb0c..7e3b4da 100755 --- a/modules/cfg.py +++ b/modules/cfg.py @@ -1,7 +1,6 @@ import lief from . import colors -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) # check if PE file supports control flow guard @@ -9,12 +8,16 @@ def get(malware, csv): print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( "CFG", " -------------------------------") + colors.DEFAULT)) + binary = lief.parse(malware) - if binary.optional_header.has(lief.PE.DLL_CHARACTERISTICS.GUARD_CF): - print((colors.GREEN + "[" + '\u2713' + - "]" + colors.DEFAULT + " The file supports Control Flow Guard (CFG)")) - csv.write("1,") + + # Control Flow Guard (CFG) is represented by the 0x4000 flag in DLLCharacteristics + GUARD_CF_FLAG = 0x4000 + + if binary.optional_header.dll_characteristics & GUARD_CF_FLAG: + print((colors.GREEN + "[" + '\u2713' + "]" + colors.DEFAULT + " Control Flow Guard (CFG) is enabled.")) + csv.write("CFG Enabled,") else: - print(( - colors.RED + "[X]" + colors.DEFAULT + " The file doesn't support Control Flow Guard (CFG)")) - csv.write("0,") + print((colors.RED + "[X]" + colors.DEFAULT + " Control Flow Guard (CFG) is not enabled.")) + csv.write("CFG Not Enabled,") + diff --git a/modules/codeint.py b/modules/codeint.py index 5894f9a..26b854d 100755 --- a/modules/codeint.py +++ b/modules/codeint.py @@ -1,7 +1,7 @@ import lief from . import colors -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) + # PE ignores Code Integrity? Let's find out together diff --git a/modules/dbgts.py b/modules/dbgts.py index 5a6b9ce..78dbd87 100755 --- a/modules/dbgts.py +++ b/modules/dbgts.py @@ -2,7 +2,7 @@ from . import colors import datetime -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) + # check for suspicious debug timestamps diff --git a/modules/dep.py b/modules/dep.py index f7b71d3..61d1a4d 100755 --- a/modules/dep.py +++ b/modules/dep.py @@ -1,16 +1,18 @@ import lief from . import colors -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) - -# check if PE supports Data Execution Prevention - - +# Check if PE supports Data Execution Prevention (DEP) def get(malware, csv): print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( "DEP", " -------------------------------") + colors.DEFAULT)) + binary = lief.parse(malware) - if binary.optional_header.has(lief.PE.DLL_CHARACTERISTICS.NX_COMPAT): + + # Define NX_COMPAT flag + NX_COMPAT_FLAG = 0x0100 + + # Check if DEP (NX_COMPAT) is enabled + if binary.optional_header.dll_characteristics & NX_COMPAT_FLAG: print((colors.GREEN + "[" + '\u2713' + "]" + colors.DEFAULT + " The file supports Data Execution Prevention (DEP)")) csv.write("1,") diff --git a/modules/exports.py b/modules/exports.py index 08fc394..274d771 100755 --- a/modules/exports.py +++ b/modules/exports.py @@ -1,7 +1,6 @@ import lief from . import colors -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) # print exports of PE diff --git a/modules/fileheader.py b/modules/fileheader.py index 4cec24a..e86afc5 100755 --- a/modules/fileheader.py +++ b/modules/fileheader.py @@ -1,7 +1,6 @@ import lief from . import colors -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) # print the PE header diff --git a/modules/gs.py b/modules/gs.py index 931d989..447f311 100755 --- a/modules/gs.py +++ b/modules/gs.py @@ -1,7 +1,6 @@ import lief from . import colors -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) # check if PE supports cookies on the stack (GS) diff --git a/modules/imports.py b/modules/imports.py index 35a9e86..f97f1df 100755 --- a/modules/imports.py +++ b/modules/imports.py @@ -1,7 +1,6 @@ import lief from . import colors -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) # print imports of PE diff --git a/modules/manifest.py b/modules/manifest.py index 145c2d2..2d8eb0b 100755 --- a/modules/manifest.py +++ b/modules/manifest.py @@ -1,7 +1,6 @@ import lief from . import colors -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) # check whether the PE has a manifest diff --git a/modules/modules/__init__.py b/modules/modules/__init__.py new file mode 100755 index 0000000..e69de29 diff --git a/modules/modules/antidbg.py b/modules/modules/antidbg.py new file mode 100755 index 0000000..2c40f3b --- /dev/null +++ b/modules/modules/antidbg.py @@ -0,0 +1,41 @@ +import os +import lief +import sys +from . import colors + + +# check for anti-debugging calls + +def get_rule(path): + root_dir = os.path.dirname(sys.modules['__main__'].__file__) + return os.path.join(root_dir, 'signatures', path) + + +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "ANTI-DB", " -------------------------------") + colors.DEFAULT)) + antidbg = [] + count = 0 + with open(get_rule('antidbg.txt')) as f: + content = [x for x in (line.strip() for line in f) if x] + try: + binary = lief.parse(malware) + for imported_library in binary.imports: + for func in imported_library.entries: + for susp in content: + if func.name == susp: + count += 1 + antidbg.append(susp) + if count > 0: + for x in antidbg: + print((colors.RED + x + colors.DEFAULT)) + else: + print(( + colors.GREEN + "[X]" + colors.DEFAULT + " None")) + f.close() + + csv.write(str(count)+",") + + except Exception as e: + print(e) + csv.write("Exception,") diff --git a/modules/modules/antivm.py b/modules/modules/antivm.py new file mode 100755 index 0000000..c7307a6 --- /dev/null +++ b/modules/modules/antivm.py @@ -0,0 +1,49 @@ +import re +from . import colors + + +# check for virtual-machine detection +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "ANTI-VM", " -------------------------------") + colors.DEFAULT)) + trk = [] + count = 0 + VM_Str = { + "Virtual Box": "VBox", + "VMware": "WMvare" + } + + # credit: Joxean Koret + VM_Sign = { + "Red Pill": "\x0f\x01\x0d\x00\x00\x00\x00\xc3", + "VirtualPc trick": "\x0f\x3f\x07\x0b", + "VMware trick": "VMXh", + "VMCheck.dll": "\x45\xC7\x00\x01", + "VMCheck.dll for VirtualPC": "\x0f\x3f\x07\x0b\xc7\x45\xfc\xff\xff\xff\xff", + "Xen": "XenVMM", + "Bochs & QEmu CPUID Trick": "\x44\x4d\x41\x63", + "Torpig VMM Trick": "\xE8\xED\xFF\xFF\xFF\x25\x00\x00\x00\xFF\x33\xC9\x3D\x00\x00\x00\x80\x0F\x95\xC1\x8B\xC1" + "\xC3", + "Torpig (UPX) VMM Trick": "\x51\x51\x0F\x01\x27\x00\xC1\xFB\xB5\xD5\x35\x02\xE2\xC3\xD1\x66\x25\x32\xBD\x83" + "\x7F\xB7\x4E\x3D\x06\x80\x0F\x95\xC1\x8B\xC1\xC3 " + } + + with open(malware, "r", errors='replace') as f: + buf = f.read() + for string in VM_Str: + match = re.findall(VM_Str[string], buf, + re.IGNORECASE | re.MULTILINE) + if match: + trk.append(string) + + for trick in VM_Sign: + if buf.find(VM_Sign[trick][::-1]) > -1: + count += 1 + trk.append(trick) + csv.write(str(count)+",") + + if not trk: + print((colors.GREEN + "[X]" + colors.DEFAULT + " No")) + csv.write("0,") + else: + print((colors.RED + "".join(trk) + colors.DEFAULT)) diff --git a/modules/modules/apialert.py b/modules/modules/apialert.py new file mode 100755 index 0000000..dfc73cb --- /dev/null +++ b/modules/modules/apialert.py @@ -0,0 +1,43 @@ +import os +import sys +import lief +from . import colors + + + +# checks for suspicious calls + + +def get_rule(path): + root_dir = os.path.dirname(sys.modules['__main__'].__file__) + return os.path.join(root_dir, 'signatures', path) + + +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "API ALERT", " -------------------------------") + colors.DEFAULT)) + suspicious_api = [] + count = 0 + with open(get_rule('alerts.txt')) as f: + content = [x for x in (line.strip() for line in f) if x] + try: + binary = lief.parse(malware) + for imported_library in binary.imports: + for func in imported_library.entries: + for susp in content: + if func.name == susp: + count += 1 + suspicious_api.append(susp) + if count > 0: + for x in suspicious_api: + print((colors.RED + x + colors.DEFAULT)) + else: + print(( + colors.WHITE + "\n[*] Number of suspicious API calls: " + str(count) + colors.DEFAULT)) + f.close() + + csv.write(str(count)+",") + + except Exception as e: + print(e) + csv.write("Exception,") diff --git a/modules/modules/argv.py b/modules/modules/argv.py new file mode 100755 index 0000000..476275b --- /dev/null +++ b/modules/modules/argv.py @@ -0,0 +1,11 @@ +import sys +from . import colors + + +# check the script's argument (argparse who you are?) + + +def get(): + if len(sys.argv) != 2: + print(colors.ORANGE + "Usage: ./pepper ./malware_dir" + colors.ORANGE) + sys.exit(1) diff --git a/modules/modules/aslr.py b/modules/modules/aslr.py new file mode 100755 index 0000000..9cef9a9 --- /dev/null +++ b/modules/modules/aslr.py @@ -0,0 +1,21 @@ +import lief +from . import colors + +# Check if PE supports Address Space Layout Randomization (ASLR) +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "ASLR", " -------------------------------") + colors.DEFAULT)) + + binary = lief.parse(malware) + + # Define the DYNAMIC_BASE flag + DYNAMIC_BASE_FLAG = 0x0040 + + # Check if ASLR (DYNAMIC_BASE) is enabled + if binary.optional_header.dll_characteristics & DYNAMIC_BASE_FLAG: + print((colors.GREEN + "[" + '\u2713' + + "]" + colors.DEFAULT + " The file supports Address Space Layout Randomization (ASLR)")) + csv.write("1,") + else: + print((colors.RED + "[X]" + colors.DEFAULT + " The file doesn't support Address Space Layout Randomization (ASLR)")) + csv.write("0,") diff --git a/modules/modules/badstr.py b/modules/modules/badstr.py new file mode 100755 index 0000000..9a4f9f4 --- /dev/null +++ b/modules/modules/badstr.py @@ -0,0 +1,239 @@ +import lief +import sys +import xml.etree.ElementTree as ET +import os +import string +from . import colors + + + +# check for some possible bad strings hardcoded inside PE + + +def get_rule(path): + root_dir = os.path.dirname(sys.modules['__main__'].__file__) + return os.path.join(root_dir, 'signatures', path) + + +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "BAD STRINGS", " -------------------------------" + colors.DEFAULT))) + stringsXml = ET.parse(get_rule('strings.xml')).getroot() + blacklisted = 0 + p = False + binary = lief.parse(malware) + strings = set() + for sect in binary.sections: + s = "" + for byte in sect.content: + if chr(byte) in string.printable: + s += chr(byte) + else: + if len(s) > 3: + strings.add(s) + s = "" + + print((colors.WHITE + "Passwords:" + colors.DEFAULT)) + for r in stringsXml.find('psw').findall('item'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + p = True + if not p: + print("\tNone") + p = False + + print((colors.WHITE + "\nAnti-Virus detection:" + colors.DEFAULT)) + for r in stringsXml.find('avs').findall('av'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + p = True + if not p: + print("\tNone") + p = False + + print((colors.WHITE + "\nRegular Expressions:" + colors.DEFAULT)) + for r in stringsXml.find('regexs').findall('regex'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + p = True + if not p: + print("\tNone") + p = False + + print((colors.WHITE + "\nPrivileges:" + colors.DEFAULT)) + for r in stringsXml.find('privs').findall('priv'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + p = True + if not p: + print("\tNone") + p = False + + print((colors.WHITE + "\nOids:" + colors.DEFAULT)) + for r in stringsXml.find('oids').findall('oid'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + p = True + if not p: + print("\tNone") + p = False + + print((colors.WHITE + "\nAgents:" + colors.DEFAULT)) + for r in stringsXml.find('agents').findall('agent'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + p = True + if not p: + print("\tNone") + p = False + + print((colors.WHITE + "\nFile extensions:" + colors.DEFAULT)) + for r in stringsXml.find('exts').findall('ext'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + p = True + if not p: + print("\tNone") + p = False + + print((colors.WHITE + "\nSDDLs:" + colors.DEFAULT)) + for r in stringsXml.find('sddls').findall('sddl'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + p = True + if not p: + print("\tNone") + p = False + + allFolders = [f for fs in stringsXml.findall( + 'folders') for f in fs.findall('folder')] + for r in allFolders: + if r.text in strings: + if r.attrib['name'] is not None: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + else: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + + print((colors.WHITE + "\nGUIDs:" + colors.DEFAULT)) + for r in stringsXml.find('guids').findall('guid'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + p = True + if not p: + print("\tNone") + p = False + + print((colors.WHITE + "\nRegistry:" + colors.DEFAULT)) + for r in stringsXml.find('regs').findall('reg'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + p = True + if not p: + print("\tNone") + p = False + + print((colors.WHITE + "\nOperating Systems:" + colors.DEFAULT)) + for r in stringsXml.find('oss').findall('os'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + p = True + if not p: + print("\tNone") + p = False + + print((colors.WHITE + "\nSandbox products:")) + for r in stringsXml.find('products').findall('product'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + p = True + if not p: + print("\tNone") + p = False + + print((colors.WHITE + "\nSIDs:")) + for r in stringsXml.find('sids').findall('sid'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + p = True + if not p: + print("\tNone") + p = False + + print((colors.WHITE + "\nProtocols:")) + for r in stringsXml.find('protocols').findall('protocol'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + p = True + if not p: + print("\tNone") + p = False + + print((colors.WHITE + "\nUtilities:" + colors.DEFAULT)) + for r in stringsXml.find('utilities').findall('item'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + p = True + if not p: + print("\tNone") + p = False + + keys = 0 + print((colors.WHITE + "\nKeyboard keys:" + colors.DEFAULT)) + for r in stringsXml.find('keys').findall('key'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + keys += 1 + p = True + if not p: + print("\tNone") + p = False + + print((colors.WHITE + "\nOperating Systems:" + colors.DEFAULT)) + for r in stringsXml.find('oss').findall('os'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + p = True + if not p: + print("\tNone") + p = False + + print((colors.WHITE + "\nEvents:" + colors.DEFAULT)) + for r in stringsXml.find('events').findall('event'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + insults = 0 + p = True + if not p: + print("\tNone") + p = False + + print((colors.WHITE + "\nInsult:" + colors.DEFAULT)) + for r in stringsXml.find('insults').findall('insult'): + if r.text in strings: + print(("\t" + colors.RED + r.text + colors.DEFAULT)) + blacklisted += 1 + insults += 1 + p = True + if not p: + print("\tNone") + + csv.write(str(blacklisted)+",") diff --git a/modules/modules/banner.py b/modules/modules/banner.py new file mode 100755 index 0000000..65a734e --- /dev/null +++ b/modules/modules/banner.py @@ -0,0 +1,23 @@ +from . import colors + +# what script would be without a banner? + + +def get(): + print(colors.GREEN + " _____ ______ " + + colors.RED + " ") + print(colors.GREEN + "| __ \| ____|" + + colors.RED + " ") + print(colors.GREEN + "| |__) | |__ " + + colors.RED + " _ __ _ __ ___ _ __ ") + print(colors.GREEN + "| ___/| __| " + + colors.RED + "| '_ \| '_ \ / _ \ '__|") + print(colors.GREEN + "| | | |____ " + + colors.RED + "| |_) | |_) | __/ | ") + print(colors.GREEN + "|_| |______|" + + colors.RED + "| .__/| .__/ \___|_| ") + print(colors.GREEN + " " + + colors.RED + "| | | | ") + print(colors.GREEN + " " + + colors.RED + "|_| |_| ") + print((colors.BLUE + "\n Th3Hurrican3\n\n" + colors.DEFAULT)) diff --git a/modules/modules/certificate.py b/modules/modules/certificate.py new file mode 100755 index 0000000..040a51f --- /dev/null +++ b/modules/modules/certificate.py @@ -0,0 +1,84 @@ +import lief +import datetime +import time +from . import colors +from lief.PE import oid_to_string + + +# print PE certificates + + +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "CERTIFICATE", " -------------------------------") + colors.DEFAULT)) + binary = lief.parse(malware) + format_str = "{:<33} {:<30}" + format_dec = "{:<33} {:<30d}" + + if binary.has_signatures: + for item in binary.signatures: + for cert in item.certificates: + valid_from = "-".join(map(str, cert.valid_from[:3])) + dt = datetime.datetime.strptime(valid_from, '%Y-%m-%d') + timestamp = time.mktime(dt.timetuple()) + cert_from = datetime.datetime.fromtimestamp(timestamp) + + valid_to = "-".join(map(str, cert.valid_to[:3])) + dt = datetime.datetime.strptime(valid_to, '%Y-%m-%d') + timestamp = time.mktime(dt.timetuple()) + cert_to = datetime.datetime.fromtimestamp(timestamp) + + sn_str = ":".join( + ["{:02x}".format(e) for e in cert.serial_number]) + + if cert_from > datetime.datetime.now() or cert_to < datetime.datetime.now(): + print(( + colors.RED + "[X]" + colors.DEFAULT + " Invalid certificate")) + valid_from_str = "-".join(map(str, cert.valid_from[:3])) + " " + ":".join( + map(str, cert.valid_from[3:])) + valid_to_str = "-".join(map(str, cert.valid_to[:3])) + " " + ":".join( + map(str, cert.valid_to[3:])) + print((format_dec.format(colors.WHITE + "Version:" + + colors.DEFAULT, cert.version))) + print((format_str.format(colors.WHITE + + "Serial Number:" + colors.DEFAULT, sn_str))) + print((format_str.format(colors.WHITE + "Signature Algorithm:" + + colors.DEFAULT, oid_to_string(cert.signature_algorithm)))) + print((format_str.format(colors.WHITE + "Valid from:" + + colors.DEFAULT, valid_from_str))) + print((format_str.format(colors.WHITE + "Valid to:" + + colors.DEFAULT, valid_to_str))) + print((format_str.format(colors.WHITE + "Issuer:" + + colors.DEFAULT, cert.issuer))) + print((format_str.format(colors.WHITE + "Subject:" + + colors.DEFAULT, cert.subject))) + print('\n') + else: + print(( + colors.GREEN + "[" + '\u2713' + "]" + colors.DEFAULT + " Valid certificate")) + valid_from_str = "-".join(map(str, cert.valid_from[:3])) + " " + ":".join( + map(str, cert.valid_from[3:])) + valid_to_str = "-".join(map(str, cert.valid_to[:3])) + " " + ":".join( + map(str, cert.valid_to[3:])) + print((format_dec.format(colors.WHITE + "Version:" + + colors.DEFAULT, cert.version))) + print((format_str.format(colors.WHITE + + "Serial Number:" + colors.DEFAULT, sn_str))) + print((format_str.format(colors.WHITE + "Signature Algorithm:" + + colors.DEFAULT, oid_to_string(cert.signature_algorithm)))) + print((format_str.format(colors.WHITE + "Valid from:" + + colors.DEFAULT, valid_from_str))) + print((format_str.format(colors.WHITE + "Valid to:" + + colors.DEFAULT, valid_to_str))) + print((format_str.format(colors.WHITE + "Issuer:" + + colors.DEFAULT, cert.issuer))) + print((format_str.format(colors.WHITE + "Subject:" + + colors.DEFAULT, cert.subject))) + print('\n') + + csv.write("1,") + + if not binary.has_signatures: + print((colors.RED + + "[X]" + colors.DEFAULT + " None")) + csv.write("0,") diff --git a/modules/modules/cfg.py b/modules/modules/cfg.py new file mode 100755 index 0000000..7e3b4da --- /dev/null +++ b/modules/modules/cfg.py @@ -0,0 +1,23 @@ +import lief +from . import colors + + +# check if PE file supports control flow guard + + +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "CFG", " -------------------------------") + colors.DEFAULT)) + + binary = lief.parse(malware) + + # Control Flow Guard (CFG) is represented by the 0x4000 flag in DLLCharacteristics + GUARD_CF_FLAG = 0x4000 + + if binary.optional_header.dll_characteristics & GUARD_CF_FLAG: + print((colors.GREEN + "[" + '\u2713' + "]" + colors.DEFAULT + " Control Flow Guard (CFG) is enabled.")) + csv.write("CFG Enabled,") + else: + print((colors.RED + "[X]" + colors.DEFAULT + " Control Flow Guard (CFG) is not enabled.")) + csv.write("CFG Not Enabled,") + diff --git a/modules/modules/codeint.py b/modules/modules/codeint.py new file mode 100755 index 0000000..26b854d --- /dev/null +++ b/modules/modules/codeint.py @@ -0,0 +1,25 @@ +import lief +from . import colors + + + +# PE ignores Code Integrity? Let's find out together + + +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "CODE INTEGRITY", " -------------------------------" + colors.DEFAULT))) + binary = lief.parse(malware) + if binary.has_configuration: + if isinstance(binary.load_configuration, lief.PE.LoadConfigurationV2) and binary.load_configuration.code_integrity.catalog == 0xFFFF: + print((colors.RED + + "[X]" + colors.DEFAULT + " The file doesn't support Code Integrity")) + csv.write("0,") + else: + print((colors.GREEN + "[" + '\u2713' + + "]" + colors.DEFAULT + " The file supports Code Integrity")) + csv.write("1,") + else: + print((colors.RED + "[X]" + colors.DEFAULT + + " Binary has no configuration")) + csv.write("Exception,") diff --git a/modules/modules/colors.py b/modules/modules/colors.py new file mode 100755 index 0000000..c78fe4d --- /dev/null +++ b/modules/modules/colors.py @@ -0,0 +1,8 @@ +# colors for output +BLUE = '\033[94m' +GREEN = '\033[32m' +RED = '\033[91m' +DEFAULT = '\033[39m' +ORANGE = '\033[33m' +WHITE = '\033[97m' +YELLOW = '\033[93m' diff --git a/modules/modules/dbgts.py b/modules/modules/dbgts.py new file mode 100755 index 0000000..78dbd87 --- /dev/null +++ b/modules/modules/dbgts.py @@ -0,0 +1,30 @@ +import lief +from . import colors +import datetime + + + +# check for suspicious debug timestamps + + +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "DEBUG TIME-STAMP", " -------------------------------" + colors.DEFAULT))) + binary = lief.parse(malware) + if binary.has_debug: + debug_list = binary.debug + for item in debug_list: + ts = item.timestamp + dbg_time = datetime.datetime.fromtimestamp(ts) + if dbg_time > datetime.datetime.now(): + print((colors.RED + '[' + '\u2713' + "]" + colors.DEFAULT + " The age (%s) of the debug file is suspicious" % ( + str(dbg_time)))) + csv.write("1,") + + else: + print((colors.GREEN + "[X]" + colors.DEFAULT + " Not suspicious")) + csv.write("0,") + else: + print((colors.RED + "[X]" + colors.DEFAULT + + " PE has not debug object")) + csv.write("Exception,") diff --git a/modules/modules/dep.py b/modules/modules/dep.py new file mode 100755 index 0000000..61d1a4d --- /dev/null +++ b/modules/modules/dep.py @@ -0,0 +1,22 @@ +import lief +from . import colors + +# Check if PE supports Data Execution Prevention (DEP) +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "DEP", " -------------------------------") + colors.DEFAULT)) + + binary = lief.parse(malware) + + # Define NX_COMPAT flag + NX_COMPAT_FLAG = 0x0100 + + # Check if DEP (NX_COMPAT) is enabled + if binary.optional_header.dll_characteristics & NX_COMPAT_FLAG: + print((colors.GREEN + "[" + '\u2713' + + "]" + colors.DEFAULT + " The file supports Data Execution Prevention (DEP)")) + csv.write("1,") + else: + print(( + colors.RED + "[X]" + colors.DEFAULT + " The file doesn't support Data Execution Prevention (DEP)")) + csv.write("0,") diff --git a/modules/modules/exports.py b/modules/modules/exports.py new file mode 100755 index 0000000..274d771 --- /dev/null +++ b/modules/modules/exports.py @@ -0,0 +1,25 @@ +import lief +from . import colors + + +# print exports of PE + + +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "EXPORTS", " -------------------------------") + colors.DEFAULT)) + binary = lief.parse(malware) + count = 0 + try: + for exported_library in binary.exports: + count = count + 1 + print(exported_library.name) + for func in exported_library.entries: + f_value = " {:<33} 0x{:<14x}" + print((colors.WHITE + f_value.format(func.address, + func.name) + colors.DEFAULT)) + print("\n") + csv.write(str(count) + ",") + except Exception as e: + print((colors.RED + "[X]" + colors.DEFAULT + " None")) + csv.write("0,") diff --git a/modules/modules/fileheader.py b/modules/modules/fileheader.py new file mode 100755 index 0000000..e86afc5 --- /dev/null +++ b/modules/modules/fileheader.py @@ -0,0 +1,32 @@ +import lief +from . import colors + + +# print the PE header + + +def get(malware): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "HEADER", " -------------------------------" + colors.DEFAULT))) + binary = lief.parse(malware) + header = binary.header + format_str = "{:<43} {:<30}" + format_dec = "{:<43} {:<30d}" + char_str = " - ".join([str(chara).split(".")[-1] + for chara in header.characteristics_list]) + print((format_str.format(colors.WHITE + "Signature:" + + colors.DEFAULT, "".join(map(chr, header.signature))))) + print((format_str.format(colors.WHITE + "Machine:" + + colors.DEFAULT, str(header.machine)))) + print((format_dec.format(colors.WHITE + "Number of sections:" + + colors.DEFAULT, header.numberof_sections))) + print((format_dec.format(colors.WHITE + "Time Date stamp:" + + colors.DEFAULT, header.time_date_stamps))) + print((format_dec.format(colors.WHITE + "Pointer to symbols:" + + colors.DEFAULT, header.pointerto_symbol_table))) + print((format_dec.format(colors.WHITE + "Number of symbols:" + + colors.DEFAULT, header.numberof_symbols))) + print((format_dec.format(colors.WHITE + "Size of optional header:" + + colors.DEFAULT, header.sizeof_optional_header))) + print((format_str.format(colors.WHITE + "Characteristics:" + + colors.DEFAULT, char_str))) diff --git a/modules/modules/gs.py b/modules/modules/gs.py new file mode 100755 index 0000000..447f311 --- /dev/null +++ b/modules/modules/gs.py @@ -0,0 +1,24 @@ +import lief +from . import colors + + +# check if PE supports cookies on the stack (GS) + + +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "GS", " -------------------------------") + colors.DEFAULT)) + binary = lief.parse(malware) + if binary.has_configuration: + if binary.load_configuration.security_cookie == 0: + print(( + colors.RED + "[X]" + colors.DEFAULT + " The file doesn't support cookies on the stack (GS)")) + csv.write("0,") + else: + print((colors.GREEN + "[" + '\u2713' + + "]" + colors.DEFAULT + " The file supports cookies on the stack (GS)")) + csv.write("1,") + else: + print((colors.RED + "[X]" + colors.DEFAULT + + " Binary has no configuration")) + csv.write("Exception,") diff --git a/modules/modules/hashes.py b/modules/modules/hashes.py new file mode 100755 index 0000000..9ecea59 --- /dev/null +++ b/modules/modules/hashes.py @@ -0,0 +1,31 @@ +import hashlib +import os +import sys + +# return md5, sha1, sha256 hashes of data argument + + +def get(data): + BUF_SIZE = 65536 + md5 = hashlib.md5() + sha1 = hashlib.sha1() + sha256 = hashlib.sha256() + + if os.path.exists(sys.argv[1]): + with open(data, 'rb') as f: + while True: + data = f.read(BUF_SIZE) + if not data: + break + md5.update(data) + sha1.update(data) + sha256.update(data) + else: + print(("No such file or directory named: " + sys.argv[1])) + sys.exit() + + f.close() + md5 = md5.hexdigest() + sha1 = sha1.hexdigest() + sha256 = sha256.hexdigest() + return {'md5': md5, 'sha1': sha1, 'sha256': sha256} diff --git a/modules/modules/imphash.py b/modules/modules/imphash.py new file mode 100755 index 0000000..b4f40c5 --- /dev/null +++ b/modules/modules/imphash.py @@ -0,0 +1,30 @@ +import pefile +import sys +import os +from . import colors + +# Computes a fingerprint of the binary's IAT (Import Address Table). +# In a PE (Portable Executable) file, IAT contains the list of the dynamically linked libraries +# and functions a given binary needs to run. Thus, the idea here is: +# if two binaries have the same "imphash", there are high chances they have similar objectives. + + +def get_rule(path): + root_dir = os.path.dirname(sys.modules['__main__'].__file__) + return os.path.join(root_dir, 'signatures', path) + + +# print the imphash +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "IMP-HASH", " -------------------------------") + colors.DEFAULT)) + try: + pe = pefile.PE(malware) + global susp_imp + susp_imp = False + print((pe.get_imphash())) + csv.write(pe.get_imphash()+",") + + except Exception as e: + print(e) + csv.write("Exception,") diff --git a/modules/modules/imports.py b/modules/modules/imports.py new file mode 100755 index 0000000..f97f1df --- /dev/null +++ b/modules/modules/imports.py @@ -0,0 +1,18 @@ +import lief +from . import colors + + +# print imports of PE + + +def get(malware): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "IMPORTS", " -------------------------------") + colors.DEFAULT)) + binary = lief.parse(malware) + for imported_library in binary.imports: + print((colors.YELLOW + imported_library.name + colors.DEFAULT)) + for func in imported_library.entries: + f_value = "\t{:<10} {:<33}" + print((f_value.format(colors.GREEN + "0x" + + str(func.iat_address) + colors.DEFAULT, func.name))) + print("\n") diff --git a/modules/modules/manifest.py b/modules/modules/manifest.py new file mode 100755 index 0000000..2d8eb0b --- /dev/null +++ b/modules/modules/manifest.py @@ -0,0 +1,19 @@ +import lief +from . import colors + + +# check whether the PE has a manifest + + +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "MANIFEST", " -------------------------------") + colors.DEFAULT)) + binary = lief.parse(malware) + if binary.has_resources and not binary.resources_manager.has_manifest: + print((colors.RED + "[X]" + colors.DEFAULT + " None")) + csv.write("0,") + else: + print((colors.GREEN + "[" + '\u2713' + + "]" + colors.DEFAULT + " PE has a manifest")) + print(binary.resources_manager.manifest) + csv.write("1,") diff --git a/modules/modules/metadata.py b/modules/modules/metadata.py new file mode 100755 index 0000000..67ad014 --- /dev/null +++ b/modules/modules/metadata.py @@ -0,0 +1,30 @@ +import magic +import os +from . import hashes +import datetime +from . import colors +import re + + +# print metadata of PE + + +def get(malware): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "METADATA", " -------------------------------") + colors.DEFAULT)) + name = re.sub(r'.*/', '/', malware)[1:] + format_dec = "{:<43} {:<30}" + print((format_dec.format(colors.WHITE + + "File name:" + colors.DEFAULT, str(name)))) + print((format_dec.format(colors.WHITE + "Upload time:" + colors.DEFAULT, + str((datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")))))) + print((format_dec.format(colors.WHITE + "File size:" + colors.DEFAULT, + str(os.path.getsize(malware)) + " byte"))) + print((format_dec.format(colors.WHITE + "File type:" + + colors.DEFAULT, str(magic.from_file(malware))))) + print((format_dec.format(colors.WHITE + "MD5:" + colors.DEFAULT, + str(hashes.get(malware)['md5'])))) + print((format_dec.format(colors.WHITE + "SHA1:" + colors.DEFAULT, + str(hashes.get(malware)['sha1'])))) + print((format_dec.format(colors.WHITE + "SHA256:" + colors.DEFAULT, + str(hashes.get(malware)['sha256'])))) diff --git a/modules/modules/optheader.py b/modules/modules/optheader.py new file mode 100755 index 0000000..b1f01f3 --- /dev/null +++ b/modules/modules/optheader.py @@ -0,0 +1,80 @@ +import lief +from . import colors +from lief import PE + + +# print PE optionals header + + +def get(malware): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "OPT HEADER", " -------------------------------" + colors.DEFAULT))) + binary = lief.parse(malware) + optional_header = binary.optional_header + format_str = "{:<43} {:<30}" + format_dec = "{:<43} {:<30d}" + format_hex = "{:<43} 0x{:<28x}" + dll_char_str = " - ".join([str(chara).split(".")[-1] + for chara in optional_header.dll_characteristics_lists]) + subsystem_str = str(optional_header.subsystem).split(".")[-1] + magic = "PE32" if optional_header.magic == PE.PE_TYPE.PE32 else "PE64" + print((format_str.format(colors.WHITE + "Magic:" + colors.DEFAULT, magic))) + print((format_dec.format(colors.WHITE + "Major linker version:" + + colors.DEFAULT, optional_header.major_linker_version))) + print((format_dec.format(colors.WHITE + "Minor linker version:" + + colors.DEFAULT, optional_header.minor_linker_version))) + print((format_dec.format(colors.WHITE + "Size of code:" + + colors.DEFAULT, optional_header.sizeof_code))) + print((format_dec.format(colors.WHITE + "Size of initialized data:" + + colors.DEFAULT, optional_header.sizeof_initialized_data))) + print((format_dec.format(colors.WHITE + "Size of uninitialized data:" + + colors.DEFAULT, optional_header.sizeof_uninitialized_data))) + print((format_hex.format(colors.WHITE + "Entry point:" + colors.DEFAULT, + optional_header.addressof_entrypoint))) + print((format_hex.format(colors.WHITE + "Base of code:" + + colors.DEFAULT, optional_header.baseof_code))) + if magic == "PE32": + print((format_hex.format(colors.WHITE + "Base of data" + + colors.DEFAULT, optional_header.baseof_data))) + print((format_hex.format(colors.WHITE + "Image base:" + + colors.DEFAULT, optional_header.imagebase))) + print((format_hex.format(colors.WHITE + "Section alignment:" + + colors.DEFAULT, optional_header.section_alignment))) + print((format_hex.format(colors.WHITE + "File alignment:" + + colors.DEFAULT, optional_header.file_alignment))) + print((format_dec.format(colors.WHITE + "Major operating system version:" + + colors.DEFAULT, optional_header.major_operating_system_version))) + print((format_dec.format(colors.WHITE + "Minor operating system version:" + + colors.DEFAULT, optional_header.minor_operating_system_version))) + print((format_dec.format(colors.WHITE + "Major image version:" + + colors.DEFAULT, optional_header.major_image_version))) + print((format_dec.format(colors.WHITE + "Minor image version:" + + colors.DEFAULT, optional_header.minor_image_version))) + print((format_dec.format(colors.WHITE + "Major subsystem version:" + + colors.DEFAULT, optional_header.major_subsystem_version))) + print((format_dec.format(colors.WHITE + "Minor subsystem version:" + + colors.DEFAULT, optional_header.minor_subsystem_version))) + print((format_dec.format(colors.WHITE + "WIN32 version value:" + + colors.DEFAULT, optional_header.win32_version_value))) + print((format_hex.format(colors.WHITE + "Size of image:" + + colors.DEFAULT, optional_header.sizeof_image))) + print((format_hex.format(colors.WHITE + "Size of headers:" + + colors.DEFAULT, optional_header.sizeof_headers))) + print((format_hex.format(colors.WHITE + "Checksum:" + + colors.DEFAULT, optional_header.checksum))) + print((format_str.format(colors.WHITE + "Subsystem:" + + colors.DEFAULT, subsystem_str))) + print((format_str.format(colors.WHITE + "DLL Characteristics:" + + colors.DEFAULT, dll_char_str))) + print((format_hex.format(colors.WHITE + "Size of stack reserve:" + + colors.DEFAULT, optional_header.sizeof_stack_reserve))) + print((format_hex.format(colors.WHITE + "Size of stack commit:" + + colors.DEFAULT, optional_header.sizeof_stack_commit))) + print((format_hex.format(colors.WHITE + "Size of heap reserve:" + + colors.DEFAULT, optional_header.sizeof_heap_reserve))) + print((format_hex.format(colors.WHITE + "Size of heap commit:" + + colors.DEFAULT, optional_header.sizeof_heap_commit))) + print((format_dec.format(colors.WHITE + "Loader flags:" + + colors.DEFAULT, optional_header.loader_flags))) + print((format_dec.format(colors.WHITE + "Number of RVA and size:" + + colors.DEFAULT, optional_header.numberof_rva_and_size))) diff --git a/modules/modules/output.py b/modules/modules/output.py new file mode 100755 index 0000000..fc5592d --- /dev/null +++ b/modules/modules/output.py @@ -0,0 +1,10 @@ +from . import colors + +# print the output + + +def get(filename): + print("\n------------------------------- {0:^13}{1:3}".format( + "DONE", " -------------------------------")) + print(colors.GREEN + "[" + str('\u2713') + "]" + + colors.DEFAULT + " Output written in " + filename + "-output.csv") diff --git a/modules/modules/packed.py b/modules/modules/packed.py new file mode 100755 index 0000000..729181a --- /dev/null +++ b/modules/modules/packed.py @@ -0,0 +1,42 @@ +import pefile +import sys +import peutils +import os +from . import colors + + +# check if the PE is packed + + +def get_rule(path): + root_dir = os.path.dirname(sys.modules['__main__'].__file__) + return os.path.join(root_dir, 'signatures', path) + + +def get(malware, csv): + # We use a list of the most common signature (signatureDB.txt), credits goes to creators of PEid "BobSoft" + # get all possible matches found as the signature tree is walked. + # The last signature will always be the most precise (as more bytes will have been matched) + # and is the one returned by the match() method. + + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "PACKED", " -------------------------------") + colors.DEFAULT)) + try: + pe = pefile.PE(malware) + signatures = peutils.SignatureDatabase(get_rule('packers.txt')) + matches = signatures.match_all(pe, ep_only=True) + array = [] + if matches: + for item in matches: + if item[0] not in array: + array.append(item[0]) + print((colors.RED + "".join(array) + colors.DEFAULT)) + csv.write("1,") + else: + print((colors.GREEN + + "[X]" + colors.DEFAULT + " No packers signatures detected")) + csv.write("0,") + + except Exception as e: + print(e) + csv.write("Exception,") diff --git a/modules/modules/run.py b/modules/modules/run.py new file mode 100755 index 0000000..9ca21a2 --- /dev/null +++ b/modules/modules/run.py @@ -0,0 +1,96 @@ +from modules import metadata +from modules import url +from modules import virustotal +from modules import fileheader +from modules import optheader +from modules import sections +from modules import imports +from modules import exports +from modules import certificate +from modules import manifest +from modules import version +from modules import yarar +from modules import imphash +from modules import antidbg +from modules import antivm +from modules import apialert +from modules import cfg +from modules import dep +from modules import aslr +from modules import seh +from modules import packed +from modules import gs +from modules import codeint +from modules import dbgts +from modules import tls +from modules import badstr +import os + + +# run the analysis against multiple or single PE + + +def get(argv, csv): + if os.path.isdir(argv): + mal_directory = argv + for mal in (os.listdir(mal_directory)): + malware = mal_directory + "/" + mal + csv.write("\n"+mal+",") + metadata.get(malware) + fileheader.get(malware) + optheader.get(malware) + sections.get(malware, csv) + imphash.get(malware, csv) + imports.get(malware) + exports.get(malware, csv) + antidbg.get(malware, csv) + antivm.get(malware, csv) + apialert.get(malware, csv) + codeint.get(malware, csv) + cfg.get(malware, csv) + dep.get(malware, csv) + aslr.get(malware, csv) + seh.get(malware, csv) + gs.get(malware, csv) + tls.get(malware, csv) + codeint.get(malware, csv) + dbgts.get(malware, csv) + url.get(malware, csv) + manifest.get(malware, csv) + version.get(malware, csv) + badstr.get(malware, csv) + packed.get(malware, csv) + certificate.get(malware, csv) + virustotal.get(malware, csv) + yarar.get(malware, csv) + + else: + malware = argv + csv.write("\n"+malware+",") + metadata.get(malware) + fileheader.get(malware) + optheader.get(malware) + sections.get(malware, csv) + imphash.get(malware, csv) + imports.get(malware) + exports.get(malware, csv) + antidbg.get(malware, csv) + antivm.get(malware, csv) + apialert.get(malware, csv) + codeint.get(malware, csv) + cfg.get(malware, csv) + dep.get(malware, csv) + aslr.get(malware, csv) + seh.get(malware, csv) + gs.get(malware, csv) + tls.get(malware, csv) + codeint.get(malware, csv) + dbgts.get(malware, csv) + url.get(malware, csv) + manifest.get(malware, csv) + version.get(malware, csv) + badstr.get(malware, csv) + packed.get(malware, csv) + certificate.get(malware, csv) + virustotal.get(malware, csv) + yarar.get(malware, csv) diff --git a/modules/modules/sections.py b/modules/modules/sections.py new file mode 100755 index 0000000..9f8328f --- /dev/null +++ b/modules/modules/sections.py @@ -0,0 +1,93 @@ +import lief +from . import colors + +# print PE sections +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "SECTIONS", " -------------------------------") + colors.DEFAULT)) + sec = 0 + susp_sec = 0 + format_str = "{:<35} {:<35}" + binary = lief.parse(malware) + + # Define the known section characteristics based on numeric values + MEM_READ = 0x40000000 + MEM_WRITE = 0x80000000 + MEM_EXECUTE = 0x20000000 + CNT_CODE = 0x00000020 + + for section in binary.sections: + sec += 1 + print((colors.YELLOW + section.name + colors.DEFAULT)) + print((format_str.format(colors.WHITE + "\tVirtual Address: " + + colors.DEFAULT, str(section.virtual_address)))) + print((format_str.format(colors.WHITE + "\tVirtual Size: " + + colors.DEFAULT, str(section.virtual_size)))) + print((format_str.format(colors.WHITE + "\tRaw Size: " + + colors.DEFAULT, str(section.sizeof_raw_data)))) + print((format_str.format(colors.WHITE + "\tEntropy: " + + colors.DEFAULT, str(section.entropy)))) + + # Checking for section characteristics (readable, writable, executable) + if section.characteristics & MEM_READ: + print((format_str.format(colors.WHITE + "\tReadable: " + + colors.GREEN, "[" + str('\u2713') + "]"))) + else: + print((format_str.format(colors.WHITE + + "\tReadable: " + colors.RED, "[X]"))) + + if section.characteristics & MEM_WRITE: + print((format_str.format(colors.WHITE + "\tWritable: " + + colors.GREEN, "[" + str('\u2713') + "]"))) + else: + print((format_str.format(colors.WHITE + + "\tWritable: " + colors.RED, "[X]"))) + + if section.characteristics & MEM_EXECUTE: + print((format_str.format(colors.WHITE + "\tExecutable: " + + colors.GREEN, "[" + str('\u2713') + "]"))) + else: + print((format_str.format(colors.WHITE + + "\tExecutable: " + colors.RED, "[X]"))) + + if section.size == 0 or (0 < section.entropy < 1) or section.entropy > 7: + print((format_str.format(colors.WHITE + "\tSuspicious:" + + colors.GREEN, "[" + str('\u2713') + "]"))) + susp_sec += 1 + else: + print((format_str.format(colors.WHITE + + "\tSuspicious: " + colors.RED, "[X]"))) + + # suspicious section based on entropy + print((colors.RED + "\n[-]" + colors.WHITE + " Suspicious section (entropy) ratio:" + colors.DEFAULT + " %i/%i" % + (susp_sec, sec))) + csv.write(str(susp_sec/sec) + "%,") + + # suspicious section names + standardSectionNames = [".text", ".bss", ".rdata", + ".data", ".idata", ".reloc", ".rsrc"] + suspiciousSections = 0 + for section in binary.sections: + if not section.name in standardSectionNames: + suspiciousSections += 1 + print((colors.RED + "[-]" + colors.WHITE + " Suspicious section (name) ratio:" + colors.DEFAULT + " %i/%i" % + (suspiciousSections, sec))) + csv.write(str(suspiciousSections/sec) + "%,") + + # size of code greater than size of code section + code_sec_size = 0 + for section in binary.sections: + if section.characteristics & CNT_CODE: + code_sec_size += section.size + + if binary.optional_header.sizeof_code > code_sec_size: + print((colors.RED + "[X]" + colors.DEFAULT + "The size of code (%i bytes) is bigger than the size (%i bytes) " + "of code sections" % + (binary.optional_header.sizeof_code, code_sec_size))) + csv.write("1,") + else: + print((colors.GREEN + "[" + '\u2713' + "]" + colors.DEFAULT + "The size of code (%i bytes) matches the size " + "of code sections" % + binary.optional_header.sizeof_code)) + csv.write("0,") + diff --git a/modules/modules/seh.py b/modules/modules/seh.py new file mode 100755 index 0000000..85be1de --- /dev/null +++ b/modules/modules/seh.py @@ -0,0 +1,21 @@ +import lief +from . import colors + +# Check if PE file uses Structured Exception Handling (SEH) +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "SEH", " -------------------------------") + colors.DEFAULT)) + + binary = lief.parse(malware) + + # Define the NO_SEH flag + NO_SEH_FLAG = 0x0400 + + # Check if the NO_SEH flag is set + if binary.optional_header.dll_characteristics & NO_SEH_FLAG: + print((colors.RED + "[X]" + colors.DEFAULT + " The file doesn't support Structured Exception Handling (SEH)")) + csv.write("0,") + else: + print((colors.GREEN + "[" + '\u2713' + + "]" + colors.DEFAULT + " The file supports Structured Exception Handling (SEH)")) + csv.write("1,") diff --git a/modules/modules/stringstat.py b/modules/modules/stringstat.py new file mode 100755 index 0000000..4965866 --- /dev/null +++ b/modules/modules/stringstat.py @@ -0,0 +1,34 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + + +def get_wanted_chars(): + wanted_chars = ["\0"] * 256 + + for i in range(32, 127): + wanted_chars[i] = chr(i) + + wanted_chars[ord("\t")] = "\t" + return "".join(wanted_chars) + + +def get_wanted_chars_unicode(): + wanted_chars = ["\0"] * 256 + + for i in range(32, 127): + wanted_chars[i] = chr(i) + + wanted_chars[ord("\t")] = "\t" + return "".join(wanted_chars) + + +def get_result(filename): + results = [] + + THRESHOLD = 4 + + for s in open(filename, errors="ignore").read().translate(get_wanted_chars()).split("\0"): + if len(s) >= THRESHOLD: + results.append(s) + + return results diff --git a/modules/modules/stringutil.py b/modules/modules/stringutil.py new file mode 100755 index 0000000..7360941 --- /dev/null +++ b/modules/modules/stringutil.py @@ -0,0 +1,21 @@ +import string + +# the "strings" utility written in Python + + +def get(filename, min=4): + try: + with open(filename, "rb") as f: + result = "" + for c in f.read(): + if c in string.printable: + result += c + continue + if len(result) >= min: + yield result + result = "" + if len(result) >= min: + yield result + + except Exception as e: + print(e) diff --git a/modules/modules/tls.py b/modules/modules/tls.py new file mode 100755 index 0000000..5a28823 --- /dev/null +++ b/modules/modules/tls.py @@ -0,0 +1,29 @@ +import lief +from . import colors + + + +# malwares employ Thread Local Storage callbacks to evade debugger messages + + +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "TLS", " -------------------------------") + colors.DEFAULT)) + binary = lief.parse(malware) + if not binary.has_tls: + print((colors.GREEN + "[X]" + colors.DEFAULT + " None")) + csv.write("0,") + + else: + csv.write("1,") + table_entry_address = binary.tls.addressof_callbacks + callback = binary.get_content_from_virtual_address( + table_entry_address, 4) + callback = '0x' + "".join(["{0:02x}".format(x) + for x in callback[::-1]]) + while int(callback, 16) != 0: + print(('\t' + callback)) + table_entry_address += 4 + callback = binary.get_content_from_virtual_address( + table_entry_address, 4) + callback = '0x' + "".join(["{0:02x}".format(x) for x in callback]) diff --git a/modules/modules/url.py b/modules/modules/url.py new file mode 100755 index 0000000..2f0e484 --- /dev/null +++ b/modules/modules/url.py @@ -0,0 +1,71 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +import re +from . import stringstat +from . import colors + +# check for presence of IP/URL in PE + + +def valid_ip(address): + try: + host_bytes = address.split('.') + valid = [int(b) for b in host_bytes] + valid = [b for b in valid if b >= 0 and b <= 255] + return len(host_bytes) == 4 and len(valid) == 4 + except: + return False + + +def get(malware, csv): + print(colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "URL", " -------------------------------") + colors.DEFAULT) + ip_list = [] + file_list = [] + url_list = [] + strings_list = list(stringstat.get_result(malware)) + + # Strings analysis + for string in strings_list: + + if len(string) < 2000: + # URL list + urllist = re.findall( + r'((smb|srm|ssh|ftps?|file|https?):((//)|(\\\\))+([\w\d:#@%/;$()~_?\+-=\\\.&](#!)?)*)', string, re.MULTILINE) + if urllist: + for url in urllist: + url_list.append(re.sub(r'\(|\)|;|,|\$', '', url[0])) + + # IP list + iplist = re.findall(r'[0-9]+(?:\.[0-9]+){3}', string, re.MULTILINE) + if iplist: + for ip in iplist: + if valid_ip(str(ip)) and not re.findall(r'[0-9]{1,}\.[0-9]{1,}\.[0-9]{1,}\.0', str(ip)): + ip_list.append(str(ip)) + + # FILE list + fname = re.findall( + "(.+(\.([a-z]{2,3}$)|\/.+\/|\\\.+\\\))+", string, re.IGNORECASE | re.MULTILINE) + if fname: + for word in fname: + file_list.append(word[0]) + + ip_list = list(set([item for item in ip_list])) + url_list = list(set([item for item in url_list])) + + if url_list: + print("\n".join(url_list)) + csv.write(str(len(url_list))+",") + else: + print(colors.RED + "[X]" + colors.DEFAULT + " No URL") + csv.write("0,") + + print(colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "IP", " -------------------------------") + colors.DEFAULT) + if ip_list: + print("\n".join(ip_list)) + csv.write(str(len(ip_list))+",") + else: + print(colors.RED + "[X]" + colors.DEFAULT + " None") + csv.write("0,") diff --git a/modules/modules/version.py b/modules/modules/version.py new file mode 100755 index 0000000..abcb18d --- /dev/null +++ b/modules/modules/version.py @@ -0,0 +1,19 @@ +import lief +from . import colors + + +# check if PE has a version + + +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "VERSION", " -------------------------------") + colors.DEFAULT)) + binary = lief.parse(malware) + if binary.has_resources and not binary.resources_manager.has_version: + print((colors.RED + "[X]" + colors.DEFAULT + " PE has no version")) + csv.write("0,") + else: + print((colors.GREEN + "[" + '\u2713' + + "]" + colors.DEFAULT + " PE has a version")) + print((str(binary.resources_manager.version.string_file_info))) + csv.write("1,") diff --git a/modules/modules/virustotal.py b/modules/modules/virustotal.py new file mode 100755 index 0000000..3522e1e --- /dev/null +++ b/modules/modules/virustotal.py @@ -0,0 +1,31 @@ +from . import hashes +import requests +from . import colors + +# check the md5 hash of pe file with the VirusTotal Database +# 0bc448f09b38bff5292bd76eb276899c4b0e632fc5aec9c23f9f183c61fca206 + +def get(malware, csv): + print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( + "VIRUS-TOTAL", " -------------------------------" + colors.DEFAULT))) + url = 'https://www.virustotal.com/vtapi/v2/file/report' + params = {'apikey': '', # your private key here + 'resource': hashes.get(malware)['md5']} + + if params['apikey']: + response = requests.get(url, params=params) + result = response.json() + if result['response_code'] == 0: + print((colors.RED + "[X]" + colors.DEFAULT + " No\n")) + csv.write("0%,") + else: + print((colors.GREEN + "[" + '\u2713' + + "]" + colors.DEFAULT + " Found match")) + print((colors.WHITE + "Resource: " + colors.DEFAULT + str(result['resource']) + + colors.WHITE + "\nDetection ratio: " + colors.DEFAULT + + str(result['positives']) + " / " + str(result['total']) + + colors.WHITE + "\nAnalysis date: " + colors.DEFAULT + str(result['scan_date'] + "\n"))) + csv.write(str(result['positives']/result['total']) + "%,") + else: + print(colors.RED + "[X]" + colors.DEFAULT + " API token not found") + csv.write("Exception,") diff --git a/modules/modules/yarar.py b/modules/modules/yarar.py new file mode 100755 index 0000000..e9d4a26 --- /dev/null +++ b/modules/modules/yarar.py @@ -0,0 +1,77 @@ +import yara +import os +import sys +from . import colors +import string + +def get_yara_path(rule_file): + """Construct the full path to the specified YARA rule file.""" + root_dir = os.path.dirname(sys.modules['__main__'].__file__) + return os.path.join(root_dir, 'rules', rule_file) + +def compile_yara_rules(): + """Compile YARA rules from predefined rule files.""" + rule_files = { + 'AntiVM/DB': 'Antidebug_AntiVM_index.yar', + 'Crypto': 'Crypto_index.yar', + 'CVE': 'CVE_Rules_index.yar', + 'Exploit': 'Exploit-Kits_index.yar', + 'Document': 'Malicious_Documents_index.yar', + 'Malware': 'malware_index.yar', + 'Packers': 'Packers_index.yar', + 'Webshell': 'Webshells_index.yar' + } + return yara.compile(filepaths={name: get_yara_path(file) for name, file in rule_files.items()}) + +def print_match_info(match): + """Print details of a matched YARA rule.""" + print(f"{colors.YELLOW}{match.rule}{colors.DEFAULT}") + print(f"{colors.WHITE}\tType: {colors.RED}{match.namespace}{colors.DEFAULT}") + tags = ", ".join(match.tags) if match.tags else "None" + print(f"{colors.WHITE}\tTags: {colors.DEFAULT}{tags}") + print(f"{colors.WHITE}\tMeta:{colors.DEFAULT}") + + for key, value in match.meta.items(): + print(f"{colors.WHITE}\t\t{key.capitalize()}: {colors.DEFAULT}{value}") + +def process_matched_strings(strings): + """Process and print matched strings from a YARA match.""" + format_str = "{:<35} {:<1} {:<1}" + non_printable_count = 0 + + for string_match in strings: + # Access the string name and matched string value + string_name = string_match[0] # Name of the string + matched_string_value = string_match.string # Matched string data + + if all(c in string.printable for c in matched_string_value.decode('utf-8', errors='replace')): + print(f"\t\t{format_str.format(matched_string_value.decode('utf-8', errors='replace'), '| Occurrences:', 1)}") + else: + non_printable_count += 1 + + if non_printable_count > 0: + print(f"\t\t[X] {non_printable_count} string(s) not printable") + +def get(malware, csv): + """Main function to get YARA matches for the given malware file.""" + print(f"{colors.WHITE}\n------------------------------- {colors.DEFAULT} YARA RULES {colors.DEFAULT} -------------------------------{colors.DEFAULT}") + + rules = compile_yara_rules() + + with open(malware, 'rb') as f: + matches = rules.match(data=f.read()) + + if matches: + for match in matches: + print_match_info(match) + if not match.strings: + print(f"{colors.WHITE}\tStrings: None") + else: + print(f"{colors.WHITE}\tStrings: {colors.DEFAULT}") + # Process matched strings directly from match.strings + process_matched_strings(match.strings) + print("\n") + csv.write(str(len(matches))) + else: + print(f"{colors.RED}[X] No matches found{colors.DEFAULT}") + csv.write(str(len(matches))) diff --git a/modules/optheader.py b/modules/optheader.py index d03ace0..b1f01f3 100755 --- a/modules/optheader.py +++ b/modules/optheader.py @@ -2,7 +2,6 @@ from . import colors from lief import PE -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) # print PE optionals header diff --git a/modules/sections.py b/modules/sections.py index 06943b0..9f8328f 100755 --- a/modules/sections.py +++ b/modules/sections.py @@ -1,11 +1,7 @@ import lief from . import colors -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) - # print PE sections - - def get(malware, csv): print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( "SECTIONS", " -------------------------------") + colors.DEFAULT)) @@ -13,6 +9,13 @@ def get(malware, csv): susp_sec = 0 format_str = "{:<35} {:<35}" binary = lief.parse(malware) + + # Define the known section characteristics based on numeric values + MEM_READ = 0x40000000 + MEM_WRITE = 0x80000000 + MEM_EXECUTE = 0x20000000 + CNT_CODE = 0x00000020 + for section in binary.sections: sec += 1 print((colors.YELLOW + section.name + colors.DEFAULT)) @@ -25,21 +28,22 @@ def get(malware, csv): print((format_str.format(colors.WHITE + "\tEntropy: " + colors.DEFAULT, str(section.entropy)))) - if section.has_characteristic(lief.PE.SECTION_CHARACTERISTICS.MEM_READ): + # Checking for section characteristics (readable, writable, executable) + if section.characteristics & MEM_READ: print((format_str.format(colors.WHITE + "\tReadable: " + colors.GREEN, "[" + str('\u2713') + "]"))) else: print((format_str.format(colors.WHITE + "\tReadable: " + colors.RED, "[X]"))) - if section.has_characteristic(lief.PE.SECTION_CHARACTERISTICS.MEM_WRITE): + if section.characteristics & MEM_WRITE: print((format_str.format(colors.WHITE + "\tWritable: " + colors.GREEN, "[" + str('\u2713') + "]"))) else: print((format_str.format(colors.WHITE + "\tWritable: " + colors.RED, "[X]"))) - if section.has_characteristic(lief.PE.SECTION_CHARACTERISTICS.MEM_EXECUTE): + if section.characteristics & MEM_EXECUTE: print((format_str.format(colors.WHITE + "\tExecutable: " + colors.GREEN, "[" + str('\u2713') + "]"))) else: @@ -73,7 +77,7 @@ def get(malware, csv): # size of code greater than size of code section code_sec_size = 0 for section in binary.sections: - if section.has_characteristic(lief.PE.SECTION_CHARACTERISTICS.CNT_CODE): + if section.characteristics & CNT_CODE: code_sec_size += section.size if binary.optional_header.sizeof_code > code_sec_size: @@ -86,3 +90,4 @@ def get(malware, csv): "of code sections" % binary.optional_header.sizeof_code)) csv.write("0,") + diff --git a/modules/seh.py b/modules/seh.py index 11abb6a..85be1de 100755 --- a/modules/seh.py +++ b/modules/seh.py @@ -1,18 +1,19 @@ import lief from . import colors -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) - -# check if PE file use Structured Error Handling (SEH) - - +# Check if PE file uses Structured Exception Handling (SEH) def get(malware, csv): print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( "SEH", " -------------------------------") + colors.DEFAULT)) + binary = lief.parse(malware) - if binary.optional_header.has(lief.PE.DLL_CHARACTERISTICS.NO_SEH): - print(( - colors.RED + "[X]" + colors.DEFAULT + " The file doesn't support Structured Exception Handling (SEH)")) + + # Define the NO_SEH flag + NO_SEH_FLAG = 0x0400 + + # Check if the NO_SEH flag is set + if binary.optional_header.dll_characteristics & NO_SEH_FLAG: + print((colors.RED + "[X]" + colors.DEFAULT + " The file doesn't support Structured Exception Handling (SEH)")) csv.write("0,") else: print((colors.GREEN + "[" + '\u2713' + diff --git a/modules/tls.py b/modules/tls.py index d1abf89..5a28823 100755 --- a/modules/tls.py +++ b/modules/tls.py @@ -1,7 +1,7 @@ import lief from . import colors -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) + # malwares employ Thread Local Storage callbacks to evade debugger messages diff --git a/modules/version.py b/modules/version.py index 4209405..abcb18d 100755 --- a/modules/version.py +++ b/modules/version.py @@ -1,7 +1,6 @@ import lief from . import colors -lief.logging.set_level(lief.logging.LOGGING_LEVEL.ERROR) # check if PE has a version diff --git a/modules/virustotal.py b/modules/virustotal.py index 54c29e4..3522e1e 100755 --- a/modules/virustotal.py +++ b/modules/virustotal.py @@ -3,7 +3,7 @@ from . import colors # check the md5 hash of pe file with the VirusTotal Database - +# 0bc448f09b38bff5292bd76eb276899c4b0e632fc5aec9c23f9f183c61fca206 def get(malware, csv): print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( diff --git a/modules/yarar.py b/modules/yarar.py index d763df1..e9d4a26 100755 --- a/modules/yarar.py +++ b/modules/yarar.py @@ -4,65 +4,74 @@ from . import colors import string +def get_yara_path(rule_file): + """Construct the full path to the specified YARA rule file.""" + root_dir = os.path.dirname(sys.modules['__main__'].__file__) + return os.path.join(root_dir, 'rules', rule_file) -# checks if the PE matches some YARA rules (database: ~/rules) +def compile_yara_rules(): + """Compile YARA rules from predefined rule files.""" + rule_files = { + 'AntiVM/DB': 'Antidebug_AntiVM_index.yar', + 'Crypto': 'Crypto_index.yar', + 'CVE': 'CVE_Rules_index.yar', + 'Exploit': 'Exploit-Kits_index.yar', + 'Document': 'Malicious_Documents_index.yar', + 'Malware': 'malware_index.yar', + 'Packers': 'Packers_index.yar', + 'Webshell': 'Webshells_index.yar' + } + return yara.compile(filepaths={name: get_yara_path(file) for name, file in rule_files.items()}) +def print_match_info(match): + """Print details of a matched YARA rule.""" + print(f"{colors.YELLOW}{match.rule}{colors.DEFAULT}") + print(f"{colors.WHITE}\tType: {colors.RED}{match.namespace}{colors.DEFAULT}") + tags = ", ".join(match.tags) if match.tags else "None" + print(f"{colors.WHITE}\tTags: {colors.DEFAULT}{tags}") + print(f"{colors.WHITE}\tMeta:{colors.DEFAULT}") + + for key, value in match.meta.items(): + print(f"{colors.WHITE}\t\t{key.capitalize()}: {colors.DEFAULT}{value}") -def get_yara(path): - root_dir = os.path.dirname(sys.modules['__main__'].__file__) - return os.path.join(root_dir, 'rules', path) +def process_matched_strings(strings): + """Process and print matched strings from a YARA match.""" + format_str = "{:<35} {:<1} {:<1}" + non_printable_count = 0 + + for string_match in strings: + # Access the string name and matched string value + string_name = string_match[0] # Name of the string + matched_string_value = string_match.string # Matched string data + if all(c in string.printable for c in matched_string_value.decode('utf-8', errors='replace')): + print(f"\t\t{format_str.format(matched_string_value.decode('utf-8', errors='replace'), '| Occurrences:', 1)}") + else: + non_printable_count += 1 + + if non_printable_count > 0: + print(f"\t\t[X] {non_printable_count} string(s) not printable") def get(malware, csv): - print((colors.WHITE + "\n------------------------------- {0:^13}{1:3}".format( - "YARA RULES", " -------------------------------") + colors.DEFAULT)) - rules = yara.compile(filepaths={'AntiVM/DB': get_yara('Antidebug_AntiVM_index.yar'), - 'Crypto': get_yara('Crypto_index.yar'), - 'CVE': get_yara('CVE_Rules_index.yar'), - 'Exploit': get_yara('Exploit-Kits_index.yar'), - 'Document': get_yara('Malicious_Documents_index.yar'), - 'Malware': get_yara('malware_index.yar'), - 'Packers': get_yara('Packers_index.yar'), - 'Webshell': get_yara('Webshells_index.yar')}) + """Main function to get YARA matches for the given malware file.""" + print(f"{colors.WHITE}\n------------------------------- {colors.DEFAULT} YARA RULES {colors.DEFAULT} -------------------------------{colors.DEFAULT}") - strings_list = [] - format_str = "{:<35} {:<1} {:<1}" + rules = compile_yara_rules() with open(malware, 'rb') as f: matches = rules.match(data=f.read()) + if matches: - for x in matches: - print((colors.YELLOW + str(x.rule) + colors.DEFAULT)) - print((colors.WHITE + "\tType: " + colors.RED + str(x.namespace))) - print((colors.WHITE + "\tTags: " + colors.DEFAULT + "".join(x.tags) - if x.tags else colors.WHITE + "\tTags: " + colors.DEFAULT + "None")) - print((colors.WHITE + "\tMeta:" + colors.DEFAULT)) - print((colors.WHITE + "\t\tDate: " + - colors.DEFAULT + str(x.meta.get('date')))) - print((colors.WHITE + "\t\tVersion: " + - colors.DEFAULT + str(x.meta.get('version')))) - print((colors.WHITE + "\t\tDescription: " + - colors.DEFAULT + str(x.meta.get('description')))) - print((colors.WHITE + "\t\tAuthor: " + - colors.DEFAULT + str(x.meta.get('author')))) - if not x.strings: - print((colors.WHITE + "\tStrings: " + colors.DEFAULT + "None")) + for match in matches: + print_match_info(match) + if not match.strings: + print(f"{colors.WHITE}\tStrings: None") else: - for i in x.strings: - strings_list.append(i[2]) - print((colors.WHITE + "\tStrings: " + colors.DEFAULT)) - non_printable_count = 0 - for i in list(set(strings_list)): - if all(str(c) in string.printable for c in i): - print(("\t\t" + format_str.format(str(i), colors.WHITE + - "| Occurrences:" + colors.DEFAULT, str(strings_list.count(i))))) - else: - non_printable_count += 1 - if non_printable_count > 0: - print("\t\t[X] " + str(non_printable_count) + " string(s) not printable") - del(strings_list[:]) + print(f"{colors.WHITE}\tStrings: {colors.DEFAULT}") + # Process matched strings directly from match.strings + process_matched_strings(match.strings) print("\n") csv.write(str(len(matches))) else: - print((colors.RED + "[X] No" + colors.DEFAULT)) + print(f"{colors.RED}[X] No matches found{colors.DEFAULT}") csv.write(str(len(matches)))